Log files?
Hello,
does "Firewalla Gold" logs it's actions, etc. in log files on the file system.
I would like to collect them and send it to a Splunk system for monitoring, analysis.
-
@Scott Copeland
I think you are being a bit rough on the Firewalla team. This team has been working flat out for a few years at this point. They haven’t just created a startup with a new product and supporting software, they have come up with five new hardware products. They have implemented a lot of our requested features. I am sure they have a backlog they groom daily and prioritize based on market need the what addresses the broadest customer wants.
Those on this thread are certainly on the long tail.
Check out our other posts, we’ve been sending to Splunk, and for awhile ELK as well, so as-is it can be done. If you’re using security onion you shouldn’t have any trouble sending Firewalla logs to it.
-
see if this fit what you need https://help.firewalla.com/hc/en-us/articles/5345330648083-MSP-API-Getting-Started-
-
If you’re trying to lower the associated MSP portal infra costs for AWS, why don’t you use Linode instead. Much less expensive.
https://www.linode.com/aws-vs-linode/
-
For those who may want to set up syslog with Firewalla this script may be helpful.
https://gist.github.com/mbierman/f3d184b65e0f4de6fa75a4a5d5145426 -
Hello,
I am new to Firewalla and was looking at the information here and wondered, why not just create a rsyslog configuration file like /etc/rsyslog.d/45-current.conf, which contains:
module(load="imfile" PollingInterval="10")
input( type="imfile" File="/log/blog/current/*.log" Tag="current-log" Severity="error" Facility="local7")
if $syslogtag contains "current-log" then {
action(type="omfwd" target="192.168.x.x" port="514" protocol="tcp"
action.resumeRetryCount="100"
queue.type="linkedList" queue.size="10000")
stop
}This takes all the log files in /log/blog/current and forwards them to the target host.
Once you add this file, you run:
sudo systemctl restart rsyslog
I do not know if this file will survive an update to Firewalla, but it works on my Firewalla Purple right now.
-
I saw this thread has been going since 2020, so I figured I'd share what I built. It's a complete, open-source pipeline that ships Zeek dns.log, conn.log, and ACL alarm logs from a Firewalla Gold SE to Axiom (free cloud log analytics).
Key differences from the
find | zcat | ncapproaches discussed earlier in this thread:- Real-time tailing via Fluent Bit (Docker) — no cron-based batch shipping
- Device name resolution — automatically exports names from Redis so dashboards show device names, not MACs
-
Firmware-update resilient — uses
post_main.d/persistence, auto-restarts, health checks - Self-healing — handles Axiom outages, stale position trackers, tmpfs filling up
- Pre-built dashboard queries for per-device DNS history, group analytics, IoT accountability, anomaly detection
- ~50MB RAM overhead on the Firewalla
- $0/month — Axiom free tier (500 GB/month, 30-day retention)
Tested on Gold SE with 91 devices. Should work on Gold Pro and Purple SE.
Full repo with one-command deploy: https://github.com/PitziLabs/firewalla-axiom-pipeline
Please sign in to leave a comment.
Comments
43 comments